Microsoft has identified multiple 0-day attacks against on-premises versions of Microsoft Exchange Server. These attacks exploit vulnerabilities that allow attackers to access email accounts. They’re then able to install additional malware that provides them with additional capabilities through these accounts. The attackers include multiple state-sponsored groups that have targeted tens of thousands of Exchange servers throughout the world.
Microsoft Threat Intelligence Center (MSTIC) is highly confident that the advanced persistent threat (APT) group Hafnium is responsible for the initial attacks based on their procedures, tactics and victimology. This group is based in China and sponsored by that country, although many unrelated groups are also attacking Exchange servers at this time.
History
A security researcher identified two security flaws in Microsoft Exchange and reported them to Microsoft during early January 2021. Security research firm Volexity detected attacks exploiting these vulnerabilities on January 6 and formally notified Microsoft about them on February 2. Microsoft’s initial reports on the attacks indicated that Hafnium was exploiting a vulnerability in Exchange Server. Hafnium continued its attacks while Microsoft began working on patches to remediate the vulnerabilities.
Current Status
Microsoft released patches on March 2 to remediate the vulnerability, which affected Exchange Server 2013, 2016 and 2019. The patches don’t retroactively remove backdoors or repair any other type of damage; they only prevent future attacks from succeeding. The day after the patch was released, additional threat actors began scanning Exchange servers and compromising those that were still vulnerable. These actors included the following APT groups:
- APT27
- Calypso
- LuckyMouse
- Winnti Group
A research team from ESET, a Slovak internet security firm, observed that over 5,000 Exchange servers in 115 countries had web shells that had been compromised by these attacks. Most of these servers were located in Germany, the U.K. and the U.S. In addition to the primary attack, ESET’s team reported that APT groups were conducting secondary attacks with the following hacking tools:
- DLTMiner
- IIS
- Opera Cobalt Strike loader
- ShadowPad
Tracking
Microsoft is tracking the Exchange Server vulnerabilities as the following four Common Vulnerabilities and Exposures (CVEs):
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27065
These vulnerabilities have become known collectively as ProxyLogon, since they’re generally based on logging onto Exchange Server through a proxy.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability. It allows an attacker to send arbitrary HTTP requests and authenticate them to an Exchange server.
CVE-2021-26857 is a vulnerability involving insecure deserialization in Exchange Server’s Unified Messaging service. This type of vulnerability allows an untrusted user to deserialize data that it controls. In the case of this particular vulnerability, Hafnium was able to execute code on the Exchange server as a system administrator.
CVE-2021-26858 is a vulnerability based on post-authentication arbitrary file writes. It requires an attacker to authenticate itself with an Exchange server through other means like CVE-2021-26855 SSRF or compromising a legitimate administrator’s credentials. Once Exchange Server authenticates the attacker, it can use this vulnerability to write a file to any path on the server.
CVE-2021-27065 is another vulnerability of Exchange Server involving arbitrary file writes after authentication. Once the attacker is authenticated, it can write a file to any path on the server.
The large number of APTs that have exploited vulnerabilities in Exchange Server so soon after their discovery indicates how eager these groups are to compromise popular products. It also demonstrates how important it is to apply security updates as soon as they’re released. Administrators of compromised servers should remove web shells and change credentials to remove additional vulnerabilities created by attackers. In addition, they should examine these servers for signs of malicious activity.
Hacking flickr photo by Worlds Direction shared into the public domain using Creative Commons Public Domain Dedication (CC0)